patrickdaley.com

This is the removal process I’ve used for this piece of malware. Since it hooks the .exe extension in the registry launching AV apps can be difficult. If you’re not careful with Autoruns and the registry you can brick your Windows install. I take no responsibility if that happens to you.

If you use Process Explorer while it is running on a machine you will find where it is.
C:\Documents and Settings\USER\Local Settings\Application Data
- MSASCui.exe (XP Guardian 2010)
- AVE.EXE (XP AntiSpyware 2010)
- o7yIC10ETb (or some other randomly named file)

If you kill the process tree and move fast before it can restart you can delete the files. It also makes a few changes to the Registry, which Malwarebytes will find. Basically you want to export these keys from a good machine and import them into the bad machine.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- HKEY_CLASSES_ROOT\.exe

- Run Autoruns and look for gibberish DLL files and delete them.
- Run a follow up scan with Malwarebytes to make sure everything is gone.
- Double check your Security Center/Firewall/Automatic Updates settings to make sure they’re where they need to be.

This entry was posted on Thursday, April 22nd, 2010 at 10:35 am and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.